Threats, Vulnerabilities & Mitigations (22%)
Domain 2: Threats, Vulnerabilities, and Mitigations
Exam Weight: 22% | Second highest weighted domain
Domain Overview
Domain 2 focuses on understanding the threat landscape—who attacks systems, how they attack, what vulnerabilities they exploit, and how to defend against them. This is the second-largest domain on the exam and requires both theoretical knowledge and practical understanding of real-world attack scenarios.
Learning Objectives
After completing this domain, you should be able to:
- [ ] Identify different threat actor types and their motivations
- [ ] Explain common attack vectors and how threat actors exploit them
- [ ] Recognize various vulnerability types across systems and applications
- [ ] Analyze indicators of malicious activity (malware, network attacks, application attacks)
- [ ] Apply appropriate mitigation techniques to defend against threats
Lessons in This Domain
| Lesson | Topic | Objectives Covered |
|--------|-------|-------------------|
| 01_threat_actors.md | Threat Actors and Motivations | 2.1 |
| 02_attack_surfaces.md | Attack Surfaces and Vectors | 2.2 |
| 03_vulnerabilities.md | Vulnerability Types | 2.3 |
| 04_malicious_activity.md | Indicators of Malicious Activity | 2.4 |
| 05_mitigation_techniques.md | Mitigation Techniques | 2.5 |
Key Concepts at a Glance
Threat Actor Types
| Actor Type | Resources | Sophistication | Primary Motivation |
|------------|-----------|----------------|-------------------|
| Nation-State | Very High | Very High | Espionage, Warfare |
| Organized Crime | High | High | Financial Gain |
| Hacktivists | Medium | Medium | Political/Social Change |
| Insider Threats | Varies | Varies | Revenge, Financial Gain |
| Unskilled Attackers | Low | Low | Curiosity, Attention |
Attack Vector Categories
| Vector Type | Examples |
|-------------|----------|
| Message-Based | Email phishing, SMS (SMiShing), IM attacks |
| Network-Based | Open ports, default credentials, wireless attacks |
| Supply Chain | Compromised vendors, malicious updates |
| Social Engineering | Impersonation, pretexting, phishing |
| Physical | USB drops, RFID cloning, tailgating |
Vulnerability Categories
| Category | Examples |
|----------|----------|
| Application | Buffer overflow, race conditions, injection flaws |
| Web-Based | SQLi, XSS, CSRF, SSRF |
| Operating System | Unpatched systems, misconfigurations |
| Hardware/Firmware | EOL devices, rootkits, supply chain tampering |
| Cloud-Specific | Misconfigurations, shared responsibility gaps |
| Mobile | Sideloading, jailbreaking, rooting |
Malware Types
| Malware | Behavior |
|---------|----------|
| Virus | Requires host file, spreads when executed |
| Worm | Self-replicating, spreads across networks automatically |
| Trojan | Disguised as legitimate software |
| Ransomware | Encrypts data, demands payment |
| Rootkit | Hides at kernel level, very difficult to detect |
| RAT | Provides remote backdoor access |
| Spyware/Keylogger | Monitors and steals information |
Exam Tips for Domain 2
⚠️ High-Priority Topics:
- Know ALL threat actor types and their characteristics
- Memorize the difference between phishing variants (vishing, SMiShing, spear phishing, whaling)
- Understand injection attacks (SQLi, XSS, LDAP injection, command injection)
- Be able to identify IoCs (Indicators of Compromise) in scenarios
⚠️ Common Exam Traps:
- Don't confuse vulnerability (weakness) with threat (potential to exploit) with risk (likelihood × impact)
- Worms spread automatically; viruses require user action
- Zero-day means no patch exists yet—not that it's particularly dangerous
- APT refers to the persistence and sophistication, not a specific malware type
⚠️ Scenario Question Strategy:
When given an attack scenario, identify:
- WHO is the threat actor? (motivation, resources)
- WHAT vector did they use? (how did they get in)
- WHAT vulnerability did they exploit? (what weakness)
- WHAT indicators show the attack? (evidence/artifacts)
- HOW should it be mitigated? (appropriate controls)
Study Checklist
Objective 2.1: Threat Actors
- [ ] Compare threat actor types (nation-state, organized crime, hacktivists, insiders, unskilled)
- [ ] Explain threat actor attributes (internal/external, resources, sophistication)
- [ ] Identify threat actor motivations (financial, political, espionage, revenge, disruption)
Objective 2.2: Attack Surfaces and Vectors
- [ ] Explain message-based vectors (email, SMS, IM)
- [ ] Describe network vectors (wireless, Bluetooth, default credentials)
- [ ] Understand supply chain risks (vendors, MSPs, software updates)
- [ ] Explain social engineering techniques
Objective 2.3: Vulnerabilities
- [ ] Identify application vulnerabilities (memory, injection, race conditions)
- [ ] Explain web vulnerabilities (SQLi, XSS, CSRF)
- [ ] Describe OS and hardware vulnerabilities
- [ ] Understand cloud and virtualization vulnerabilities
- [ ] Explain mobile device vulnerabilities
Objective 2.4: Malicious Activity
- [ ] Recognize malware types and behaviors
- [ ] Identify physical attack indicators
- [ ] Analyze network attack indicators
- [ ] Understand application attack indicators
- [ ] Explain cryptographic attack types
Objective 2.5: Mitigation Techniques
- [ ] Apply segmentation and access controls
- [ ] Implement hardening techniques
- [ ] Use monitoring and detection tools
- [ ] Apply patching and configuration management
Quick Reference: Attack Chain
Reconnaissance → Weaponization → Delivery → Exploitation → Installation → C2 → Actions
↓ ↓ ↓ ↓ ↓ ↓ ↓
Scanning Create payload Phishing Exploit vuln Backdoor Beaconing Exfil
OSINT Malware dev USB drop Buffer overflow Rootkit Persistence Data theft
Social eng Trojanize app Watering Injection RAT Lateral mov DestructionExternal Resources
- MITRE ATT&CK Framework - Comprehensive adversary tactics and techniques
- NIST NVD - National Vulnerability Database
- OWASP Top 10 - Web application security risks
- CVE Database - Common Vulnerabilities and Exposures
Continue to Lesson 1: Threat Actors →